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Abstract 

We give efficient quantum algorithms for HlDDEN TRANSLATION and HlDDEN S UB GROUP in a 
• large class of non-abelian groups including solvable groups of bounded exponent and of bounded derived 

çS) [ series. Our algorithms are recursive. For the base case, we solve efficiently HlDDEN TRANSLATION in 

Z™, whenever p is a fixed prime. For the induction step, we introduce the problem ORBIT COSET 
generalizing both HlDDEN TRANSLATION and HlDDEN SUBGROUP, and prové a powerful self- 
reducibility result: ORBIT COSET in a finite group G, is reducible to ORBIT COSET in G/N and 
subgroups of N, for any solvable normal subgroup N of G. 
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1 Introduction 



Quantum computing is an extremely active research area (for surveys seee.g. [ RPOOj , Aha9£, Pre98, NCOC]), 



where a growing trend is to cast quantum algorithms in a group theoretical setting. In this setting, we are 
given a finite group G and, besides the group operations, we also have at our disposal a function / mapping 
G into a finite set. The function / can be queried via an oracle. The complexity of an algorithm is measured 
by the overall running time counting one query as one computational step. The most important unifying 
problem of group theory for the purpose of quantum algorithms has turned out to be HlDDEN SUBGROUP, 
which can be cast in the following broad terms: Let H be a subgroup of G such that / is constant on each 
left coset of H and distinct on different left cosets. We say that / hides the subgroup H. The task is to 
determine the hidden subgroup H. 

While no classical algorithm can solve this problem with polynomial query complexity, the biggest 
success of quantum computing until now is that it can be solved by a quantum algorithm efficiently whenever 
G is abelian. We will refer to this algorithm as the Standard algorithm for HlDDEN SUBGROUP. The 
main tool for this solution is Fourier sampling based on the (approximate) quantum Fourier transform for 



abelian groups which can be efficiently implemented quantumly [ Kit95 ] . Simon's xor-mask finding [ Sim97| ] , 
Shor's factorization and discrete logarithm finding algorithms [ |Sho97 ], and Kitaev's algorithm [ Kit95 ] for 



the abelian stabilizer problem are all special cases of this general solution. 

Addressing HlDDEN SUBGROUP in the non-abelian case is considered to be one of the most important 
challenge at present in quantum computing. Besides its intrinsic mathematical interest, the importance of 
this problem is enhanced by the fact that it contains as a special case the graph isomorphism problem. 
Unfortunately, non-abelian HlDDEN SUBGROUP seems to be much more difficult than the abelian case, 
and although considerable efforts were spent on it in the last years, only a few successes can be 
reported. They can be divided in two categories. The Standard algorithm is extended to some non- 
abelian groups in [RB98, HRTO0| , GSVV01] using the quantum Fourier transform over these groups. 
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Unfortunately, efficient quantum Fourier transform implementations are known only for a few non-abelian 
groups [ $ea97| , [PRB99Í |RB98| , |l·lRTO0| ]. In a different approach, HlDDEN SUBGROUP was efíiciently solved 
in the context of specific black-box groups [ BS84 , WatOl ] by [ IMS01 ] without using the Fourier transform 
on the group. 

In face of the apparent hardness of HlDDEN SUBGROUP in non-abelian groups, a natural line of research 
is to address subproblems of HlDDEN SUBGROUP which, in some groups, centralize the main difficulty of 
the original problem. In a pioneering paper, Ettinger and H0yer [ pHO0| ], in the case of dihedral groups, 
implicitly considered another paradigmàtic group problem, HlDDEN TRANSLATION. Here we are given 
two injective functions /q and fi from a finite group G to some fïnite set such that, for some group 
element u, the equality fi(xu) = fo(x) holds for every x. The task is to find the translation u. In 
fact, whenever G is abelian, HlDDEN TRANSLATION is an instance of HlDDEN SUBGROUP in the semi- 
direct product G x Z 2 , where the hiding function is f(x, b) = fb(x). In that group / hides the subgroup 
H = {(0, 0), (u, 1)}. Actually, there is a quantum reduction also in the other direction and the two problems 
are quantum polynomial time equivalent [ EHOC ]. A nice consequence of this equivalence is that instead of 
dealing with HlDDEN SUBGROUP in the non-abelian group G x Z 2 , we can address HlDDEN TRANSLATION 
in the abelian group G. Ettinger and H0yer [|EH(Xj have shown that HlDDEN TRANSLATION can be solved 
by a two-step procedure when G = Zjv is cyclic: polynomial number of Fourier samplings over the abelian 
group Zjv x Z 2 followed by an exponential classical stage without further queries. 

Our first result (Theorem |]) is an efficient quantum algorithm for HlDDEN TRANSLATION in the case 
of elementary abelian p-groups, that is groups Z™, for any fixed prime number p. The quantum part 
of our algorithm is the same as in the Ettinger and H0yer procedure: it consists in performing Fourier 
sampling over the abelian group Z™ x Z2. But while their classical postprocessing requires exponential 
time, here we are able to recover classically the translation in polynomial time from the sampling. It turns 
out that Fourier sampling produces vectors y's non-orthogonal to the translation u, that is we get linear 
inequations for the unknown u. This is different from the situation in the Standard algorithm for the abelian 
HlDDEN SUBGROUP, where only vectors orthogonal to the hidden subgroup are generated. We show that, 
after a polynomial number of samplings, the system of linear inequations has a unique solution with high 
probability, which we are able to determine in deterministic polynomial time. An immediate consequence 
of Theorem |] is that HlDDEN SUBGROUP is efficiently solvable by a quantum algorithm in Z" x Z 2 . 

We remark that it is possible to extend the previous approach to solve HlDDEN TRANSLATION in 
the groups Z™ fc , where p k is a fixed prime power, but we do not know how to extend it to an arbitrary 
abelian group, even of bounded exponent. Therefore, we embark in a radically new direction whose 
bàsic idea is self-reducibility. Since HlDDEN TRANSLATION is not well-suited for this approach, we 
will consider Orbit COSET which is a quantum generalization of both HlDDEN TRANSLATION and 
Hidden Subgroup. Orbit Coset involves quantum group actions, that is groups acting on a finite set 
of mutually orthogonal quantum states. Given two such states \(/)q) and the problem consists in finding 
their orbit coset, that is the stabilizer of |0i) and a group element that maps \(pi) to \4>o}- 

With a slight modification, our algorithm of Theorem |] also works for Orbit COSET in Z™ whenever 
many copies of the input states are given. Moreover we show that Orbit COSET has the following self- 
reducibility property in any group G: it is reducible to Orbit Coset in G/N and subgroups of N, for any 
solvable subgroup N < G (Theorem |3|). This is the first time that such a general self-reducibility result 
has been obtained for a problem incorporating HlDDEN SUBGROUP. It involves a new technique based on 
constructing the uniform superposition of the orbit of a given quantum state (Orbit Superposition). We 
show how this problem is related to Orbit Coset (Theorem ||). The self-reducibility of Orbit Coset 
combined with its solvability for Z™ enables us to design an efficient quantum algorithm for Orbit COSET 
in groups that we call smoothly solvable groups (Theorem ||). These groups include solvable groups of 
bounded exponent and bounded derived series; in particular, upper triangular matrix groups of bounded 
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dimension over finite fields. For the special case of Stabilizer (i.e. Orbit Coset when |0i) = |0o))> 
we get an efíicient quantum algorithm for an even larger class of solvable groups viz. for solvable groups 
having a smoothly solvable commutator subgroup (Theorem ||). As an immediate consequence, we get 
efíicient quantum algorithms for HlDDEN TRANSLATION and HlDDEN SUBGROUP for the same groups as 
Orbit Coset and Stabilizer respectively. 



2 Preliminaries 

2.1 Group theory and quantum computation backgrounds 

We say that a quantum algorithm solves a problem with error e if for every input it produces an output whose 
distance from a correct one is at most e. We say that a problem V is reducible to a finite set of problems 
{ Qi ■ i G 1} with error expansion c > 0, if whenever each problem Qj has a quantum polynomial time 
algorithm with error e, problem V has also one with error ce. We say that a computational problem can 
be solved in quantum polynomial time if there exists a quantum polynomial time algorithm that outputs the 
required solution with exponentially small error. 



Our results concern groups represented in the general framework of black-box groups [ BS84 , WatOl ] 
with unique encoding. In this model, the elements of a finite group G are uniquely encoded by binary strings 
of length 0(log|G|) and the group operations are performed by an oracle (the black-box). The groups are 
assumed to be input by generators. In the case of an abelian group G, this implies also that we have at our 
disposal the decomposition of G into Z k 1 X . . . x Z k m , where p k% are prime powers QCMOip . We use 



Pi 

the notation <X> for the subgroup generated by a subset X of G. We denote by induction G^ k+1 ^ the 
commutator (G^Y of G^ k \ where H' = <{h- l k~ l hk : h,k G H}> for any subgroup H. Whenever 
G is solvable, the decomposition of G into its derived series G = G^ ï> G^ > . . . > G^ = {1g} 
can be computed by a randomized procedure [ BCF + 95 ]. Using quantum procedures of JWatOl ] jÍMS01| , 



Theorem. 10], we can compute the cyclic decomposition of each abelian factor group, and thereby expand 
the derived series to a composition series, where factor groups are cyclic of prime order. We introduce a 
shorthand notation for specinc solvable groups for which most of our results will apply. We say that an 
abelian group is smoothly abelian if it can be expressed as the direct product of a subgroup of bounded 
exponent and a subgroup of polylogarithmic size in the order of the group. A solvable group is smoothly 
solvable if its derived series is of bounded length and has smoothly abelian factor groups. For a smoothly 
solvable group G, by combining the procedures of [ CM01[ |Wat01 , IMS01 ], we can compute in quantum 



polynomial a smooth series G = Gq > G\ ï> . . . > G m = {1g}> where m is bounded, each factor group 
Gi/Gi+i is either elementary abelian of bounded exponent or abelian of size polylogarithmic in the order 
ofG. 

When G is abelian, we identify with G the set G of characters of G via some fixed isomorphism 
y i ^ Xy The orthogonal of H < G is defined as H 1 - = {y G G : V/í G H,Xy(h) = 1}. The 
quantum Fourier transform over G is the unitary transformation defined for every x G G by QFT G |x) = 
^2 yG G Xy( x )\y}- F° r th e sake of convenience, we will use the exact quantum Fourier transform in our 



algorithm. The actual implementation [ |Kit95| ] introduces only exponentially small errors. 

The following well known quantum Fourier sampling algorithm will be used as a building block, where 
G is a finite abelian group, S is a finite set and / : G — ► S is given by a quantum oracle. This algorithm is 
actually the main ingredient for solving HlDDEN SUBGROUP in abelian groups when the function / hides a 
subgroup H < G. In that case, Fourier sampling-^ (G) generates the uniform distribution over H^~. 
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Fourier sampling^ (G) 

1. Create zero-state |0) G |0) 5 .. 

2. Create uniform superposition on first register. 

3. Query function /. 

4. Compute QFT G on first register. 

5. Observe and then output the first register. 

A function / : G — > C s is a quantum function if, for every x G G, the vector \ f(x)) has unit norm, 
and, for every x,y G C7, the vectors |/(x)) and |/(y)) are either the same or orthogonal. We say that the 
quantum function / is given by a quantum oracle if we have at our disposal a unitary transformation Uf 
satisfying Uf\x) G \0) s = \x) G \f(x)) s , for every x G G. 

2.2 The problems 

Here we define the problems we are dealing with. 

Let G be a finite group and let /o,/i be two injective functions from G to some finite set S. The 
couple of functions (/o, f\) can equivalently be considered as a single function / : G x 2,2 — > 5 where by 
definition /(x, ò) = fb{x). We will use / for (/o, /i) when it is convenient in the coming discussion. We 
call an element u G G the translation of / if for every x G G, we have fi(xu) = fo(x). 

Hidden Translation 

Input: A finite group G and two injective functions /o, /i from G to some finite set 5 such that 
/ = (/o) /i) has a translation u G G. 
Output: u. 

For a finite group G and a finite set T of mutually orthogonal quantum states, we consider group actions 
of G on r. By definition, a:Gxr-»risa group action if for every x G G the quantum function 
a x : \<p) i-> |a(x, 10))) is apermutation over T such that the application x i-> a x is a group homomorphism. 
We extend a linearly to superpositions over T. When the group action a is fixed, we use the notation \x • <j>) 
for the state \a{x,\4>))). Having a group action a at our disposal means having a quantum oracle realizing 
the unitary transformation \x)\cj)) h-> \x)\x ■ </>). For any positive integer t, we denote by a* the group action 
of G on r* = {(0)®* : \(p) G T} defined by a*(x, |^) 0Í ) = |x • ^)®*. The group action a* is equivalent 
to a from the algebraic point of view. We need this because we define problems below where the input 
superpositions cannot, in general, be cloned. In most cases we need to work with several disentangled 
copies of the input superpositions in order to achieve reasonable solutions. The notion a l is introduced in 
order to capture these situations. Observe that one can construct a quantum oracle for a 1 using t queries to 
a quantum oracle for a. 

The stabilizer of a state \<fi) G T is the subgroup G\m = {x G G : \x ■ (f>) = | </>)}. Given \(f>) G T, the 
problem Stabilizer consists in finding 0(log|G|) generators for the subgroup G^y 

Proposition 1. Let G be a finite abelian group and let a be a group action of G. When t = 
íí(log(|C7|) log(l/e)), then STABILIZER in G for the group action a* can be solved in quantum time 
poly(log|G|) log(l/e) with error e. 

Proof. Let \<p) m be the input of Stabilizer. Let / be the quantum function on G defined by |/(x)) = 
|x ■ (f>), for every x G G. Observe that / is an instance of the natural extension of HlDDEN SUBGROUP to 
quantum functions and it hides the stabilizer Gu\. 

The algorithm for Stabilizer is simply the Standard algorithm for the abelian Hidden Subgroup 
with error e. In this algorithm, every query is of the form \x) G \ti) s . We simulate the i th query |x) G |0) s 
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using the i th copy of | <f>). The second register of the query is swapped with 1 4>) , and then we let act x on it. 
We remark that the Standard algorithm for abelian HlDDEN SUBGROUP outputs 0(log|C7|) generators for 
the hidden subgroup. ■ 

The orbit of a state \<p) G T is the subset G(\cf)}) = {|x • <fi) : x £ G}. The orbit coset of two states \4>q) 
and \4>i) of T is the set {u G G : \u • 0i) = \4>o)}- The orbit coset of |0o) and is either empty or a left 
coset uG^k (or equivalently a right coset G^u), for some u £ G. If the latter case occurs, \(J)q) and \<pi) 
have conjugated stabilizers: Gu ) = uGi^ju" 1 . Orbit Coset is a generalization of Stabilizer: 

Orbit Coset 

Input: A finite group G acting on a finite set T of mutually orthogonal quantum states, and two 
quantum states \4>q), \<f>\) G T. 

reject,ifG(|<^o))nG(|0 1 }) = 0; 

u £ G s.t. |u • </>i) = |0o) and 0(log|G|) generators for Gu-a , otherwise. 



Output: 



For a function / on G, the superposition of / on G is |/) = , 1 S eG Iff) l/(í?))> an d f° r x £ G, the 

x-translate of / is the function x • / : g i— > f(gx). Let T(/) = {|x • /) : x G G}. Then a group element 
x acts naturally on |/') G T(/) by mapping it to the superposition \x ■ f) of its x-translate. We call this 
group action the translation action. The mapping |x)|/') i— > |x)|x ■ /') is realized by right multiplying the 
first register of \f) by x _1 . 

Proposition 2. Let G be a finite group and let t = poly(log|G|). Then HlDDEN TRANSLATION (resp. 
Hidden Subgroup) is reducible to Orbit Coset (resp. Stabilizer) for the group action r*, where r 
denotes the translation action. The error expansion is 1. 

Proof. Let / be an instance of HlDDEN SUBGROUP. Then the stabilizer of |/) 0Í is the group hidden by 
/. Let (/o, fi) be an instance of HlDDEN TRANSLATION. Then the orbit coset of |/q)®* and is the 

translation of (/o, /i)- ■ 

Given |0) G T, the problem Orbit SUPERPOSITION consists in realizing the uniform superposition 
\G ■ 4>) = yJ\G{\4>))\ ^- i W)€ G (\'t>)) ^° te ^ at t ^ S su P er P osmon can be also written as 



3 Hidden Translation 

The main result of this section is that HlDDEN TRANSLATION can be solved in polynomial time by a 
quantum algorithm in the special case when G = Z™ for any fixed prime number p. In this section we use 
the additive notation for the group operation and x ■ y stands for the Standard inner product for x, y G Z". 
When p = 2, there already exists a quantum polynomial time algorithm since it is just an instance of Simon's 
xor-mask fïnding [ }Sim97| ]. 

The quantum part of our algorithm consists of performing Fourier sampling over the abelian group 
Z" x Z2. It turns out that from the samples we will only use elements of the form (y, 1). The important 
property of these elements y is that they are not orthogonal to the hidden translation. Some properties of the 
distribution of the samples are stated for general abelian groups in the following lemma. 

Lemma 1. Let f = (/o, /1) be an instance of HlDDEN TRANSLATION in a finite abelian group G having a 
translation u 7^ 0. Then Fourier samplingf (G x Z2) outputs an element in G x {1} with probability 1/2. 
Moreover, the probability of sampling the element (y, 1) depends only on Xy( u )> an d is ify G u^~. 
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Proof. The state of the algorithm Fourier sampling' (G x Z2) before the final observation is 

^EEE Xy(x)(l+(-l) c Xy(u))\y)\c)\f (x)). 

m 

When G = Z™, the value depends only on the inner product y • u over Z p , and y £ u 1 - exactly 

when y ■ u = 0. Therefore every (y, 1) generated satisnes y ■ u 7^ 0. Thus the output distribution is 
different from the usual one obtained for the abelian HlDDEN SUBGROUP where only vectors orthogonal to 
the hidden subgroup are generated. We overcome the main obstacle, which is that we do not know the actual 
value of the inner product y • u, by raising these inequations to the power p— 1. They become a system of 
polynomial equations since a p_1 = 1 for every non-zero a £ Z p . In general, solving systems of polynomial 
equations over any finite field is NP-complete. But using the other special feature of our distribution, which 
is that the probability of sampling (y, 1) depends only on the inner product y-u, we are able to show that after 
a polynomial number of samplings, our system of equations has a unique solution with constant probability, 
and the solution can be determined in deterministic polynomial time. 

To sol ve our system of polynomial equations, we linearize it in the (p— l) st symmetric power of Z™. We 
think of Z p as an n-dimensional vector space over Z p . For a fixed prime number p and an integer k > 0, let 

Zp fc ^[xi, . . . , x n ] be the k th symmetric power of Z p which will be thought of as the vector space, over the 
finite field Z p , of homogeneous polynomials of degree k in variables x\, . . . , x n . The monomials of degree 

p— 1 form a basis of Z p p ^ [x\, . . . , x n ], whose dimension is therefore ( n+ ^ 2 ), which is polynomial in n. 

For every y = (a%, . . . , a n ) £ Z™, we define y^ £ Zp k \xi, . . . , x n ] as the polynomial (Yl]=i a j x j) h - 

Now observe that if the hidden translation vector is u = (u±, . . . ,u n ) then the vector u* £ zj^ [xi, . . . , x n ] 
which for every monomial x^ 1 ■ ■ ■ x e ™ has coordinate u^ 1 ■ ■ ■ u e ^ , satisfies t/p -1 ) -u* = (y Therefore 
each linear inequation y ■ u ^ over Z™ will be transformed into the linear equation y^ 1 ) ■ JJ = 1 over 

Z p p ^ [x\ , . . . , x n ], where U is a dim Z p p ^ [xi , . . . , x n ]-sized vector of unknowns. 

In fact, the polynomials y^ 1 ) have full rank when y ranges over Z™. Moreover, in what is the 
main part of our proof, we show in Lemma |3| that whenever the span of y^ -1 ) for the samples y is not 
zjíf [x\, . . . ,x n ], our sampling process furnishes with constant probability a vector y G Z™ such that 
yip- 1 ) j s Hnearly independent from the y( p_1 ) for the previously sampled y. This immediately implies that 
if our sample size is of the order of the dimension of Z p p _1 ^[xi, . . . , x n ], the polynomials are of full 

rank with high probability. When the polynomials have full rank, the linear equations y( p_1 ) • U = 1 have 
exactly one solution which is u* . From this unique solution one can easily recover a vector v such that 
v* = u*. Since u is of the form av, for some < a < p, the translation vector can be found by checking 
the (p— 1) possibilities. 

The following combinatorial lemma is at the basis of the correctness of our procedure. 

Lemma 2 (Line Lemma). Let y,z £ Z™ and let L z ^ y = {(z + ay)^ 1 ^ : < a < p — 1}. Then 
yíP'V £ Span(L^). 

Proof. Let M ZjV = : < k < p - 1}. Clearly Span(L 2j3/ ) is included in Span(M z ^ y ). We 

claim that the inverse inclusion is also true since the determinant of L Z:V in M ZjV is non-zero. Indeed, it 

^ s (rifc=o (^fc 1 )) ^(0) I? 2, . . . ,p — 1), where V denotes the Vandermonde determinant. The lemma now 

follows because M ZtV contains y^ p ~ l \ ■ 

Since the proof of the following proposition uses similar ideas as the proof of the Line Lemma, it is 
omitted. 
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Proposition 3. Zp 1 [x\, . . . , x n ] is spanned by y( p ^ as y ranges over Z™. 
We are now ready to prové our main lemma. 

Lemma 3. Let u G Z™, u / and W be a subspace ofZ^ 1 ^ [x\, . . . , x n ]. We set R = {y G Z™ : y^ p ~^ £ 

W}. For k = 0, . . . ,p - 1, letV k = {y G Z£ : y ■ u = k} and R k = Rf)V k . IfW / Z? _1) [xi, . . . , x n ], 
then |12*|/|Vfc| < (p - l)/pfor k = 1, . . . ,p - 1. 

Proof. Since W ^ ^[xi, ... ,x n ], Proposition || implies that R ^ Z™. We consider two cases. In 
the first case, Vq Ç R. This implies that i?i is a proper subset of V\ . Choose any y G V\ \ R\. Then by 
Lemma ||, in every coset of <y> there is an element outside of R. A coset of <y> contains exactly one 
element from each Vt, k = 0, . . . ,p — 1. Hence Ufe^o^fc is partitioned into equal parts, each part of size 
p — 1, by intersecting with the cosets of <y>. In each part, there is an element outside of R. Therefore 
lUfc^o-Rfcl/lUfc^oVfcl < (p - 2)/(p - 1). Now observe that R k = {ky : y G for k = 1, . . . ,p - 1. 
Therefore the sets iï^ have the same size, and the vàlues |-Rfc|/| Vk\ are the same for k = 1, . . . ,p — 1. Thus 
|-Rfc|/|14| < (p — 2)/(p — 1) for fe = 1, . . . ,p — 1, and the statement follows. 

In the second case, Vq % R. Therefore, there is an element y G Vq\Rq. Then every Vk, k = 0, . . . ,p— 1, 
is a union of cosets of <y>. The Line Lemma below implies that every coset of <y> contains an element 
outside of R. This proves that |iïfe|/| Vk\ < (p — l)/p for k = 1, . . . ,p — 1. This completes the proof of the 
lemma. ■ 

We now specify the algorithm Translation finding and prové that, with high probability, it finds the 
hidden translation in quantum polynomial time. 

Translation finding^ (Z™) 

0. If / (0) = /i(0) then output 0. 

1. N^13p{ n + p - 2 ). 

2. For i = 1, . . . , N do (zí, b{) <— Fourier sampling^(Zp x Z2). 

3. {yi, . . .,vm} «- {zí ■ h = 1}. 

4. For i = 1, . . . , M do Y % <- yj p_1) . 

5. Solve the system of linear equations Y\ ■ U = 1, . . . , Ym ■ U = 1. 

6. If there are several solu tions then abort. 

7. Let 1 < j < n be such that the coefficient of 1 is 1 in U. 

8. Let v = (vi, . . . , v n ) G Z™ be such that = 1 and v k is the coefficient of XkXj 2 in U for 7^ j. 

9. Find < a < p such that / (0) = fi(av). 
10. Output av. 

Theorem 1. For every prime number p, every integer n > 1, arcc? every function f having a translation 
in Zp, Algorithm Translation Finding^(Zp) aborts with probability less than 1/2, and when it does not 
abort it outputs the translation of f. The query complexity of the algorithm is 0{p{n + and its time 

complexity is (n + p)°( p \ 

Proof. Because of Step of the algorithm, we can suppose w.l.o.g. that the translation u of / is non-zero. 

If the algorithm does not abort, then U = u* is the unique solution of the system in Step 5. When the 
coefficient of x P 1 is 1 in U, then Uj 7^ 0. Also, u k = UjVk for every k. Thus, u = UjV and u is found in 
Step 9 for a = Uj. 

From Lemma [ÏJ, the probability that Fourier sampling^ (Z™ x Z2) outputs (y, 1) for some y is 1/2. 
Therefore the expected value of M is N/2, and M > N/3 with probability 1 — e -A 7 18 < 1/4 because of 
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Chernoff bound. If the system Y\ , . . . , Ym has full rank, then it has a unique solution. By Lemmas |ï| and [|, 
the expected number of linear equations that guarantee that the system has full rank is p("p^ 2 ). Since 

N/3 > 4p( n +P- 2 ), the solution U is unique with probability at least 3/4 using Markov's inequality. Thus, 
the total probability of aborting is less than 1/2. ■ 

Corollary 1. Let p be afixed prime. HlDDEN TRANSLATION in Z" can be solved in quantum polynomial 
time. 

Proof. We perform two modificacions in Algorithm Translation finding. First, to get error e, the integer N 
is multipliedby 0(log(l/e)). Moreover, we assumed in the algorithm that there is an oracle for / = (/o,/i), 
that is the functions /q and fi can be quantumly selected. This is not possible in general when /o and f\ 
are given by two distinct oracles. Therefore we replace the oracle access |x)|6)|0) 5 i— ► \x)\b)\fb(x)) by 

|s)|6)|0) s |0> s ^|x)|6)|/ 6 (x))|/ 1 _ 6 (-x)). 
With this type of oracle access the algorithm Translation finding performs just as well. 

Let us now show how to simulate this new oracle access. From |x)|6)|0) 5 |0) s we compute 
|(-i) b x)|ò)|0) 5 |0) 5 , and then we call f and get |(-i) b x)|6)|/ ((-i) fe x)) 5 |0) 5 . We multiply the first register 
by (-1) and call /i which gives \(-i) b+1 x)\b)\f ((-i) b x)) s \fi((-i) b+1 x)) s . Finally, we multiply the first 
register by and swap the last two registers when 6 = 1. ■ 

Since there is a quantum reduction from HlDDEN SUBGROUP to HlDDEN TRANSLATION for Z" xi 



Z2 [EHOO], we obtain the following corollary. 



Corollary 2. Let p be afixed prime. HlDDEN SUBGROUP in Z™ x Z2 can be solved in quantum polynomial 



p 

time. 



The algorithm Translation finding can also be extended to solve Orbit COSET in Z™. 

Corollary 3. Let p be a prime. Let a be a group action of HI. When t = 0(p(n + log(l/e)), 
ORBIT COSET in Tiï^for a* can be solved in quantum time (n + p)°(p) log(l/e) with error e. 

Proof. Let (|0 O ) 0Í , |</>i) 0í ) be the input of Orbit COSET. We can suppose w.l.o.g. that the stabilizers of 
|<^o) and are trivial. Indeed the stabilizers can be computed by Proposition [T[ If they are different then 
the algorithm obviously has to reject, otherwise we can work in the factor group Z™/C7|^ ^ = Z™ , for some 
n' < n. 

For b = 0, 1, let be the injective quantum function on G defined by \fb(x)) = \x ■ cj)},}, for every 
x G G. If the orbit coset of (|</>o), \<i>i)) i s empty, then /o and f\ have distinct ranges. Otherwise the orbit 
coset of (1^0)1 1 0i } ) is a singleton {u}, and (fo, f\) have the translation u. 

The algorithm for Orbit Coset on input (|</í>o) 0í 5 \4>i) & ) is tn e algorithm Translation finding on 
input / = (/o, fi) with a few modificacions described below. The oracle access to / is modified in the same 
way as Corollary [[]. We simulate the í th query |íc)|6)|0)g|0) s using the i th copy of (|çi>o)) l^i})- The last two 
registers are swapped with |</>è)|</>i-6), and then we let act x on the |</>b) and (— x) on \4>i-b)- 

The equality tests in steps and 9 are replaced by the swap test [ BCWW01 , |GC01 ] iterated O (log ( 1 /e) ) 



times. Finally, N is multiplied by 0(log(l/e)), and the algorithm rejects whenever the algorithm 
Translation finding aborts or there is no solution in steps 5 and 9. ■ 

4 Orbit superposition 

The purpose of this section is to show that Orbit Superposition is reducible to Orbit Coset in solvable 
groups G. The proof will be by induction along a composition series of G. The induction step is based on 
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the technique of [ ]Wat01[ ] to create a uniform superposi tion of elements of G. One way of stating Watrous's 
result is that it sol ves Orbit SUPERPOSITION for the case of the special action when G acts on itself by left 
multiplication. More precisely, the induction step uses the following lemma. 

Lemma 4. Let K be afinite group and a be a group action of K on V. Let L < K such that K/L is cyclic 
ofpríme order r, and \(f>) G T. Given an element z £ K — L, the number r and \4>)\L ■ </>)® , realizing 
\4>)\K ■ (f)) <s> ^ t ~ 1 \ is reducible to Orbit COSET in K for a with error expansion 0(t), for every positive 
integer t. 

Proof. The analysis of the algorithm will distinguish between two cases: case one is when <2 L, and 
case two is when Ku\ Ç L. In the first case, for every x G G, \x • (L • <p)) = \K ■ <p), and in particular, 
\L • 4>) = \K ■ 4>). In the second case, \K ■ <j>) = 4^ Yli=o \ z% ' {L ■ 4>)) , since the order r is prime. 

The algorithm first computes í copies of A= J2l=o K) l z * ' ' </'))> fr° m the í copies of \L ■ 4>). We want 
to disentangle the first registers using Watrous's method. We apply the quantum Fourier transform over Z r 
in these registers. In the first case we obtain the state (|0) • 4>))® 1 , and in the second case we obtain the 
state Sj=o b") iV'j))®*» where \ipj) = Y^l=o b$\z l ' {L • </>)), and u r is a fixed primitive r th -root of 
unity. 

We now describe the rest of the algorithm by specifying how it behaves on the terms of the above tensor 
products. Let \jo)\ipj )\ji)\ipj 1 ) ■ ■ ■ ^t-ijtyjt-i) be such a term. If all the vàlues j are then the algorithm 
does nothing. Observe that if this happens, we already have í copies of the desired superposition \K • 4>), 
independently of which case we are in. Otherwise, let f be the first non-zero j. Note that this can only 
happen in case two. We swap \jo)\^j ) and \j')\ipj>), and record the value j' in an ancilla register. For 
convenience of notation, we continue to refer to the first two registers as \jo)\^j }- Thus, we have ensured 
that jo 7^ 0. Using \ij)j ) our purpose will be to cancel the phases of all the other states \ipj) for which j / 0. 
Observe that \l ■ if)j ) = \if)j ) for every l G L (and hence for every k G Ku\), and \z ■ ipj ) = uir^^jo)- 
Therefore if we set / = j(io) 1 mod r for some j / 0, then, for every i G {0, . . . , r — 1}, l G L, and 

keK w ,\{z i lky·l> j0 ) = uï ij \il> j0 ). 

We now complete the reduction by computing 1^)1^)1^ • <p) from \4>)\ijjj )\il)j) , when j ^ 0. Note 
that if j = 0, is already equal to \K ■ <j>). For every state \z l l ■ (f>) of we find the coset z % lK\^\ using 
Orbit Coset in K for \z l l ■ 4>) and \<f>). Let z l lk be some representative of the coset where k G Kus- We 
let (z l lk)f act on \i/)j ) and reverse the previous Orbit COSET procedure. This realizes the transformation 

|0>|^io)|^ • (f>) >-> ^|0}|^ O }|^Z • <p). The effect on |^)|^o)l^i> is I0)l^io)l-^ • <P)- Since the first 
pair of registers remains unchanged, the process can be repeated for the other states, and therefore we get 
\4>)\jo)\' l l·>jo)\ji)\K " 4>) ■ ■ ■ \Út-l)\K ' 4>}> together with some garbage in the ancilla register. 

■ 

Theorem 2. Let G be a finite solvable group and let a be a group action on V. Let \<f>) G T. Given 
|^®(s+Liog|G|J+l)^ rea ii z i ng \(j))\G ■ (j))® s is reducible to Orbit Coset in subgroups of G for a with error 
expansion 0(slog|G| +log 2 |G|). 

Proof. Let us recali that the group G can be given with elements Z{ and primes r^, for i = 0, ... , m— 1, such 
that G has a composition series G = Gq > G\ > . . . D> G m = {1g}, where Gj/Gj+i is cyclic of order r, and 
is generated by zíGí + \. By induction, for i = m downto i = 0, we will produce the state \(f)}\Gi ■ (j))®( s+i \ 
For i = m, by the hypothesis we have at least s + m + 1 states |çí>) = \G m • <p) since m < log|G|. 
Assume now that we have \<j>) and s + i copies of the state \G{ ■ cf>). By applying Lemma [| with K = 
L = Gi, z = Zi-i and r = rj_i, we get s + i — 1 copies of the state • <j)). When i = 0, we obtain 

\Ò)\G-Ò)® S . 



9 



5 Orbit coset self-reducibility 



This section is based on the following theorem stating the reducibility of Orbit COSET in G to 
Orbit Coset in proper normal subgroups of G under some conditions. Given a group action a of G 
on a finite set T of mutually orthogonal quantum states, we define for every proper normal subgroup N <l G 
the group action a N of G/N on {\N ■ 0) : |0) G T} by on(xN, \N ■ (/))) = \x ■ (N ■ (/))), for every x G G 
and \cj>) G T. Note that this action is independent of the coset representative chosen. 

Theorem 3. Let G be a finite group and let N <a G, N ^ G be solvable such that G, N and G/N are 
black-box groups with unique encoding. Let a be a group action of G and let s > 1 be an integer. When 
t = ü(s + log|G|), Orbit Coset (resp. Stabilizer) in G for a l is reducible to Orbit Coset in 
subgroups of N for a and ORBIT COSET (resp. STABILIZER) in G/N for (cín) s with error expansion 
0( S log|G|+log 2 |G|). 

Proof. We first prové the statement for the Stabilizer reduction. The proof for the Orbit Coset 
reduction uses the result for Stabilizer. This is indeed legitimate since Stabilizer is the special case of 
Orbit Coset when the two inputs are identical. 

Let |çí>) be an instance of Stabilizer. Its stabilizer H is the same as the stabilizer of First we 
compute 0(log|iV|) generators for the intersection Hq = H n N using Stabilizer in N for a in quantum 
polynomial time. Then we use Orbit Coset in N to construct H\ < G which in fact will turn out to be 
H. The properties which will ensure that equality are Hq < H\ < H and H\N/N = HN/N. Indeed, the 
frrst property clearly implies that H\ D N = H D N, which together with the second one gives that H\ = H 
from the isomorphism theorem. 

To construct H\ we add to Hq generators in H of HN/N. The construction proceeds in two steps. First, 
we find a set V Ç G which, when its elements are considered as coset representatives, contains a generator 
set for HN/N. Then, for every coset zN where z G V, we find a coset representative of zN in H. This step 
is achieved via a reduction to Orbit Coset in N. The collection of those representatives and Hq together 
generate the desired subgroup H\. 

The stabilizer of \N ■ <j>) for in G/N is HN/N. Therefore finding V is reducible to Stabilizer in 
G/N for (onY on input \N ■ </))® s . By Theorem ^, creating this input is also reducible to Orbit COSET in 
subgroups of N for a on input s + [log|G|J + 1 copies of \(j)). Note that the size of V is 0(\og\G/N\). 

We describe now how to find, using Orbit Coset in N, for each z G V, an element n G N such that 
zn G H. Fix z G V. We can construct \(j>') = \z~ x ■ <p) using a copy of \<p). In the subgroup N, the states 
\4>') and \4>) have the orbit coset uHq. Thus the coset hHq can be found using Orbit Coset in iV for a. 

We now turn to the proof of the Orbit Coset reduction. Let (|</>o) 0í , |0i) 0í ) be the input of 
Orbit Coset. Their orbit coset is identical to the orbit coset of (|</>o), |<^i)) 5 and it is either empty or 
uGifa'i, for some u G G. We compute H = Gu^ using the above construction. When the orbit coset of the 
input is empty, the states \N ■ </>o)^ s and \N ■ 4>i)® s have also empty orbit coset. Otherwise they have the 
orbit coset uHN/N. 

By Theorem |[ the constructions of states \N ■ <j)o)® s and \N ■ ^i)® 5 are reducible to Orbit COSET 
in N for a on inputs s + [log| C| J + 1 copies of |^o) and \<pi). Then using Orbit Coset in G/N for 
(ajv) s in input \N ■ 4>o)® s and \N ■ 0i)® s , we reject if the inputs have empty orbit coset, or we find the 
coset (uHN)/N, that is an element v G uHN. 

Using Orbit Coset in N, we can find an element n G N such that vn G uH by the method already 
used in the Stabilizer reduction. We construct the state \cj)' ) = jw^ 1 • 0q) using one copy of \4>q). Let us 
denote Hq = H n N. Since in the subgroup N, the states \<p' ) and \<pi) have the orbit coset uHq, where 
n G N is such that vn G uH, we complete the proof using Orbit Coset in N. ■ 
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Theorem 4. Let G be a smoothly solvable group and let a be a group action of G. When t = 
(log íí W|G ! |)log(l/e), Orbit COSET can be solved in G for a? in quantum time poly(log|C7|) log(l/e) 
with error e. 

Proof. As G is smoothly solvable, it has a smooth series G = Gq > G\ > . . . G m _i D> G m = {lc}» where 
m is bounded, Gj/Gj+i is either elementary abelian of bounded exponent or of size polylogarithmic in the 
order of G. Observe that we have a cyclic prime power decomposition of each factor group Gi / Gi + \ , and for 
this representation, we have a black-box oracle for the group action of Gí/Gi+i on {|Gj + i • cj>) : \<p) £ T}. 

The proof is by induction on m. The case m = is trivial. For the induction, we can efficiently solve 
Orbit COSET in the factor group Gq/G\\ if it is of polylogarithmic size we just do an exhaustive search, 
otherwise we apply Corollary |. Therefore Theorem || reduces Orbit Coset in G to Orbit Coset in 
subgroups of G\. Any subgroup K of G\ has a smooth series of length at most m— 1, since the intersection 
of a smooth series for G\ with K gives a smooth series for K. The running time of the overall procedure is 
(log|G|)°( m )log(l/e). ^ ^ ■ 

Theorem 5. Let G be afinite solvable group having a smoothly solvable commutator and let a be a group 
action of G. When t = (log^^^GI) log(l/e), Stabilizer can be solved in G for a* in quantum time 
poly(log(|G|) log(l/e) with error e. 

Proof. By Theorem |, Stabilizer in G is reducible to Stabilizer in G/G' and Orbit Coset in 
subgroups of G' . The factor group G/G' is abelian and subgroups of G' are smoothly solvable. Therefore, 
from Proposition |] and Theorem |] the statement follows. ■ 

Since, by Proposition ||, Hidden Translation and Stabilizer are respectively reducible to 
Orbit Coset and Stabilizer, we get similar results for these two problems. 

Corollary 4. HlDDEN TRANSLATION can be solved in smoothly solvable groups in quantum polynomial 
time. HlDDEN SUBGROUP can be solved in solvable groups having a smoothly solvable commutator 
subgroup in quantum polynomial time. 
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